The Golay Codes

The Golay codes

Mario de Boer and Ruud Pellikaan ∗

Appeared in Some tapas of computer algebra (A.M. Cohen, H. Cuypers and H. Sterk eds.), Project 7, The Golay codes, pp. 338-347, Springer, Berlin 1999, after the EIDMA/Galois minicourse on Computer Algebra, September 27-30, 1995, Eindhoven.

∗Both authors are from the Department of Mathematics and Computing Science, Eind- hoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.

1 Contents

1 Introduction 3

2 Minimal weight codewords of G11 3

3 Decoding of G23 with Gr¨obnerbases 6

4 One-step decoding of G23 7

5 The key equation for G23 9

6 Exercises 10

2 1 Introduction

In this project we will give examples of methods described in the previous chap- ters on ﬁnding the minimum weight codewords, the decoding of cyclic codes and working with the Mathieu groups. The codes that we use here are the well known Golay codes. These codes are among the most beautiful objects in coding theory, and we would like to give some reasons why.

There are two Golay codes: the ternary cyclic code G11 and the binary cyclic code G23.

The ternary Golay code G11 has parameters [11, 6, 5], and it is the unique code with these parameters. The automorphism group Aut(G11) is the Mathieu group M11. The group M11 is simple, 4-fold transitive and has size 11 · 10 · 9 · 8. The supports of the codewords of weight 5 form the blocks of a 4-design, the unique Steiner system S(4, 5, 11). The ternary Golay code is a perfect code, this means that the Hamming spheres of radius (d − 1)/2 = 2 centered at the codewords of 11 G11 exactly cover the whole space F3 . The code G11 can be uniquely extended to a [12, 6, 6] code, which we will denote by G12. The code G12 is self-dual and Aut(G12) = M12: the simple, 5-fold transitive Mathieu group of size 12·11·10·9·8. The supports of the codewords of weight 6 in G12 form a 5-design, the unique S(5, 6, 12).

The binary Golay code G23 has similar properties. Its parameters are [23, 12, 7], and it is the unique code with these parameters. The automorphism group Aut(G23) is the Mathieu group M23. The group M23 is simple, 4-fold transitive and has size 23 · 22 · 21 · 20 · 48. The supports of the codewords of weight 7 form the blocks of a 4-design, the unique Steiner system S(4, 7, 23). The binary Golay code is a perfect code, so the Hamming spheres of radius 3 centered at 23 the codewords of G11 exactly cover the whole space F2 . The code G23 can be uniquely extended to a [24, 12, 8] code, which we will denote by G24. The code G24 is self-dual and Aut(G24) = M24: the simple, 5-fold transitive Mathieu group of size 24 · 23 · 22 · 21 · 20 · 48. The supports of the codewords of weight 8 in G24 form a 5-design, the unique S(5, 8, 24).

2 Minimal weight codewords of G11

G11 is the ternary cyclic code of length 11 with deﬁning set J = {1}. It is a [11, 6, d] code with complete deﬁning set J(G11) = {1, 3, 4, 5, 9}. The generator polynomial is Y g(X) = (X − αj) = 2 + X2 + 2X3 + X4 + X5.

j∈J(G11)

From the BCH bound we see that d ≥ 4, and by computing Gr¨obner bases we will show that in fact d = 5. Moreover we will determine all codewords of

3 minimal weight.

First we consider the system SG11 (4):  A + σ A + σ A + σ A + σ A = 0  5 1 4 2 3 3 2 4 1  A + σ A + σ A + σ A + σ A = 0  6 1 5 2 4 3 3 4 2  . . .  . . . SG11 (4) =  A4 + σ1A3 + σ2A2 + σ3A1 + σ4A0 = 0   Aj = 0 for j ∈ J(G11)  3 A3j = Aj for j = 1,..., 11. 3 Using A3i = Ai we can express every Ai with i ∈ {1, 2,..., 10}\ J(G11) as a power of A2 (this can be done since all of these i form a single cyclotomic coset). Setting Ai = 0 for i ∈ J(G11) and writing A2 = a and A0 = b this reduces SG11 (4) to  σ3a = 0  3  a + σ4a = 0  9 3  a + σ1a = 0  81 9 3  a + σ1a + σ2a = 0  81 9 3  σ1a + σ2a + σ3a = 0  27 81 9 3  a + σ2a + σ3a + σ4a = 0 SG11 (4) = 27 81 9  b + σ1a + σ3a + σ4a = 0  27 81  σ1b + σ2a + σ4a = 0  27  a + σ2b + σ3a = 0  27  σ1a + σ3b + σ4a = 0   σ2a + σ4b = 0  b3 − b = 0. Computing a Gr¨obner basis G with respect to the lexicographic order with

σ4 > σ3 > σ2 > σ1 > b > a gives G = {b, a} and hence there are no nonzero codewords of weight at most 4. We conclude d ≥ 5, and even d = 5, since the weight of the generator polynomial is wt(g(X)) = 5. To determine the minimum weight codewords we consider the system SG11 (5):   A6 + σ1A5 + σ2A4 + σ3A3 + σ4A2 + σ5A1 = 0   A7 + σ1A6 + σ2A5 + σ3A4 + σ4A3 + σ5A2 = 0  . . .  . . . SG11 (5) =  A5 + σ1A4 + σ2A3 + σ3A2 + σ4A1 + σ5A0 = 0   Ai = 0 for i ∈ J(G11)  3 A3i = Ai for i = 0,..., 10

Again we can reduce the system as we did in the system SG11 (4) and compute its Gr¨obner basis with respect to the lexicographic order with

σ5 > σ4 > σ3 > σ2 > σ1 > b > a.

4 After 2 minutes using Axiom or 10 minutes using Macaulay, the resulting basis G is  31 9 3 107 41 19 σ5a + 2a + 2a , σ4a + a , σ3a + 2a + a + 2a ,  79 35 13 29 7 G = σ2a + a + 2a + a , σ1a + a + 2a ,  b + a77 + 2a55 + a33 + a11, a133 + 2a111 + 2a89 + 2a67 + a45 + a, where a = A2 and b = A0. From the triangular form of the basis G, it is easy to see that the number of codewords of weight 5 in G11 equals the number of nonzero solutions to f(X) = X133 + 2X111 + 2X89 + 2X67 + X45 + X = 0 in F35 . We determine these solutions in the following exercise.

Exercise 2.1 Let α ∈ F35 be a primitive element. Now show 1. f(1) = 0; 2. f(α2) = 0 (you can use a computer algebra package for this); 3. f(α11X) = α11f(X). Conclude from this that the complete set of zeros of f(X) in F35 \{0} is i+11j M = {α | i ∈ {0, 1,..., 10}\ J(G11), j ∈ {0, 1,..., 21}}. So the number of codewords of weight 5 is #M = 132 and the locators of these words (i.e. the polynomials having as zeros the reciprocals of positions where the codewords have a nonzero value) are given by  30 8 5 2 4  (a + a )X + 2a X +  (a106 + 2a40 + a18)X3+ σ(X, a) = 78 34 12 2  (2a + a + 2a )X +  (2a28 + a6)X + 1, with a ∈ M. Since the code is cyclic, any shift of a codeword of weight 5 is again a codeword of weight 5. We can recognize this fact from M in the following way. Exercise 2.2 Show that there exists a primitive 11-th root of unity β such that σ(X, α11a) = σ(βX, a) for all a ∈ M. Now we can conclude that the codewords of weight 5 consist of the 6 codewords with locator polynomials σ(X, a), a ∈ {1, α2, α6, α7, α8, α10}, their cyclic shifts, 11 and their non-zero multiples in F3 . 22 Exercise 2.3 Let α again be a primitive element in F35 , then β = α is a ﬁxed 11-th root of unity. Check that the zeros of the 6 polynomials σ(X, a) are: polynomial {i | β−i is a zero} σ(X, 1) 2, 6, 7, 8, 10 σ(X, α2) 3, 4, 9, 10, 11 σ(X, α6) 1, 5, 8, 9, 11 σ(X, α7) 1, 2, 8, 10, 11 σ(X, α8) 2, 3, 5, 7, 9 σ(X, α10) 3, 5, 8, 10, 11

5 Let B consists of the 6 subsets in {1,..., 11} of size 5 in the table and their cyclic shifts modulo 11. Then |B| = 66. Show that B is the set of blocks of a 4-design, the Steiner system S(4, 5, 11).

3 Decoding of G23 with Gr¨obnerbases

Let G23 be the binary cyclic code of length 23 with deﬁning set J = {1}. Then the complete deﬁning set is J(G23) = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18} and the code has parameters [23, 12, d]. The BCH bound states that d ≥ 5 but in fact d = 7. This can be checked in the same way as we did in the previous section for the ternary Golay code. The computer algebra packages we tried, did not perform very well on the systems SG23 (w). Since the minimum distance is 7, G23 should be able to correct errors of weight at most 3. In this example we will decode a word with three errors.

Take 11 2 F211 = F2[β]/(β + β + 1) 89 and set α = β . Then β is a primitive element of F211 and α has order 23. The generator polynomial of the code is Y g(X) = (X − αj) = 1 + X + X5 + X6 + X7 + X9 + X11.

j∈J(G23)

Suppose we send the codeword g(X), which corresponds to the binary vector

c = (1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) over a noisy channel, and the following error occurs during transmission:

e = (1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0).

As a result at the other end of the channel the following vector will be received:

y = (0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0), corresponding to the polynomial

r(X) = X + X3 + X5 + X6 + X7 + X9 + X11 + X17.

We will now decode the recieved word by applying the decoding algorithm. First we compute the syndrome:

3 5 6 7 9 11 17 9 6 3 2 s1 = Hy = r(α) = α+α +α +α +α +α +α +α = β +β +β +β +1.

Since s1 6= 0 we see that errors have occured during transmission. We already remarked that the Yi variables can be disposed of by setting them equal to 1, since 1 is the only error value that can occur.

6 Following the algorithm of Section ?? we set

9 6 3 2 23 S = {X1 + β + β + β + β + 1,X1 + 1} and can conclude that there are no solutions since s1 is not a 23-rd root of unity. In the next step we set

9 6 3 2 23 23 S = {X2 + X1 + β + β + β + β + 1,X2 + 1,X1 + 1} and compute its Gr¨obner basis with respect to the lexicographic order with X2 > X1: G = {1}. Since 1 ∈ G there is no solution to these syndrome equations and we proceed with the loop of the algorithm. We set

9 6 3 2 23 23 23 S = {X3 + X2 + X1 + β + β + β + β + 1,X3 + 1,X2 + 1,X1 + 1}, and a Gr¨obner basis with respect to the lexicographic order with X3 > X2 > X1 is computed:

 9 6 3 2 X3 + X2 + X1 + β + β + β + β + 1,  2 9 6 3 2 2  X2 + X2X1 + (β + β + β + β + 1)X2 + X1 + 9 6 3 2 6 5 2 +(β + β + β + β + 1)X1 + β + β + β ,  3 9 6 3 2 2 6 5 2 9 5 3  X1 + (β + β + β + β + 1)X1 + (β + β + β )X1 + β + β + β .

24 This took 8 minutes using Axiom. We did the same computation with Xj +Xj 23 instead of Xj + 1 for j = 1, 2, 3 and it took only 90 seconds. Now 1 6∈ G and there are solutions to the syndrome equations. The error locator polynomial is

3 9 6 3 2 2 6 5 2 9 5 3 g(X1) = X1 + (β + β + β + β + 1)X1 + (β + β + β )X1 + β + β + β and its zeros are the error locators {α0, α3, α17}. Hence the errors occurred at positions 0, 3 and 17 and the word that was sent is

y − (1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0) =

(1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0). We have recovered the transmitted codeword c.

4 One-step decoding of G23 In this paragraph we will decode all error patterns of weight 3 that can occur in a codeword of the code G23 at once by computing the Gr¨obner basis for variable syndromes S. Apart from the advantage that all syndromes are treated at once,

7 it also has the advantage that the computations take place over the ﬁeld F2 instead of the large ﬁeld F211 . The system of equations is:  X3 + X2 + X1 + S = 0  23  X3 + 1 = 0 S = 23 X2 + 1 = 0  23  X1 + 1 = 0. The outcome of this set of equations is quite complicated. The result is much simpler if we consider the following set of equations.  X3 + X2 + S + X1 = 0  24 0  X3 + X3 = 0 S = 24 X2 + X2 = 0  24  X1 + X1 = 0.

With the lexicographic order with X3 > X2 > X1 > S the computer was still not finished with its computations after 24 hours. Loustaunau and York did this example where they started with the above system, which is a Gröbner bases with respect to lexicographic order with S > X3 > X2 > X1, and transformed it into a Gröbner bases with respect to lexicographic order with X3 > X2 > X1 > S as explained in the Notes of Chapter ??. Using the lexicographic order with X3 > X2 > S > X1 we obtain the Gröbner basis:  X3 + X2 + S + X1,  24  X2 + X2,  2 2 2 2 256 3 2 2 G = X2 S + X2 X1 + X2S + X2X1 + S + S + S X1 + SX1 ,  g(X1),  24  X1 + X1, with  256 3 21 257 4 20 (S + S )X1 + (S + S )X1 +  260 7 17 261 8 16  (S + S )X1 + (S + S )X1 +  32 9 15 33 10 14  (S + S )X1 + (S + S )X1 +  34 11 13 35 12 12  (S + S )X1 + (S + S )X1 +  36 13 11 37 14 10  (S + S )X1 + (S + S )X1 + g(X1) = 38 15 9 39 16 8 (S + S )X1 + (S + S )X1 +  40 17 7 64 41 6  (S + S )X1 + (S + S )X1 +  272 42 5 273 66 43 20 4  (S + S )X1 + (S + S + S + S )X1 +  44 21 3 68 45 2  (S + S )X1 + (S + S )X1 +  276 46 277 70 47  (S + S )X1 + (S + S + S + S). We conclude that for a general syndrome S we find the error-locator polynomial

23 gcd(g(X1),X1 + 1). These computations took 120 seconds using Axiom. The original set of equations S took 150 seconds. Macaulay did both these computations on the same computer in 3 seconds.

8 Exercise 4.1 Notice that the coeﬃcient of Xi is divisible by S23 + 1 for all i. 23 Denote g(X1)/(S + 1) by h(X1).

23 Exercise 4.2 Suppose s = x1 + x2 + x3 with xj ∈ F211 and xj = 1 for all j. 23 Show that s = 1 if and only if xi = xj for some i, j with 1 ≤ i < j ≤ 3.

23 Exercise 4.3 Compute gcd(h(X1),X1 +1) with Euclid’s algorithm in the ring Fq(S)[X1] and show that it is a polynomial of degree 3 in X1 and rational functions in S as coeﬃcients.

5 The key equation for G23 In this section we will use the Euclidean algorithm to decode an error that occured during the transmission of a codeword of the binary Golay code G23. As we mentioned in Section ??, decoding a cyclic code C by solving the key equation only works for errors of weight at most (δ −1)/2, where δ is is maximal such that {1, 2, . . . , δ − 1} ⊂ J(C). In the case of the binary Golay code, this means we can only expect to decode errors of weight at most 2 in this way.

As in the previous section, we assume that the transmitted codeword was g(X). Suppose the following error occurs:

e = (1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0).

Then the received word is

y = (0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0), corresponding to the polynomial

r(X) = X + X5 + X6 + X7 + X9 + X11 + X17.

After we receive this word, we can compute the following syndromes:

10 9 7 6 s1 = r(α) = β + β + β + β + 1 2 2 7 5 2 s2 = r(α ) = s1 = β + β + β + β 3 256 8 7 6 5 s3 = r(α ) = s1 = β + β + β + β 4 4 10 5 4 3 2 s4 = r(α ) = s1 = β + β + β + β + β . Following Section ?? we deﬁne

2 3 S(Z) = s1 + s2Z + s3Z + s4Z and we start the Euclidean algorithm on S(Z) and Z4. We ﬁnd

4 Z = S(Z)q1(Z) + r1(Z), with 9 3 2 10 9 5 q1(Z) = (β + β + β + 1)Z + β + β + β + β

9 and

10 9 7 6 5 4 2 r1(Z) = (β + β + β + β + β + β )Z + (β10 + β9 + β7 + β5 + β4 + β3)Z + (β9 + β6 + β2 + 1).

In the following step we get

S(Z) = r1(Z)q2(Z) + r2(Z), with 10 3 2 10 7 6 q2(Z) = (β + β + β + 1)Z + (β + β + β + β) and 7 6 3 2 r2(Z) = (β + β + β + β + β + 1).

Since deg(r1(Z)) ≥ 2 and deg(r2(Z)) ≤ 1 we can stop the algorithm and compute

U2(Z) = q2(Z)U1(Z) + U0(Z)

= q2(Z)q1(Z) + 1 = (β9 + β8 + β6)Z2 + (β7 + β6 + β3 + β2 + β + 1)Z + β9 + β8 + β7 + β3 + β2 + β + 1.

From this we ﬁnd

9 8 7 3 2 σ(Z) = U2(Z)/(β + β + β + β + β + β + 1) =

(β10 + β9 + β7 + β6)Z2 + (β10 + β9 + β7 + β6 + 1)Z + 1. Since the zeros of σ(Z) are Z = 1 and Z = α6, we conclude that the error locators are 1 and α17 and thus that the error vector is

e = (1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0).

We retrieve the transmitted codeword by computing c = y − e.

Exercise 5.1 Do the same example with the algorithm of Berlekamp-Massey instead of Euclid’s algorithm.

6 Exercises

Let C be the binary cyclic code C of length 15 with deﬁning set J = {1, 3, 5}. In the following, α ∈ F16 will denote a primitive element satisfying α4 + α + 1 = 0.

10 Exercise 6.1 Show that the complete deﬁning set is given by

J(C) = {1, 2, 3, 4, 5, 6, 8, 9, 10, 12}, and that C has generator polynomial

g(X) = 1 + X + X2 + X4 + X5 + X8 + X10.

Determine the dimension of the code and apply the BCH bound on the minimum distance.

In order to ﬁnd the true minimum distance of C, we will determine all codewords of weight 7.

Exercise 6.2 Write down the equations of the system SC (7) and reduce the system by setting A0 = b and A7 = a and expressing everything in a, b and σ1, σ2, . . . , σ7. Compute a Gr¨obner basis for the ideal deﬁned by SC (7) and answer the following questions: 1. How many codewords of weight 7 does C have? 2. Determine a set M and polynomials σ(X, a) such that σ(X, a) has as zeros the locators of a codeword of weight 7 is and only if a ∈ M. 3. Prove that σ(X, αi) = σ(α13iX, 1). What does this show?

We will now use code C to decode a word that is a transmitted codeword in which errors have occured. First we choose a codeword in C.

Exercise 6.3 Pick your favorite polynomial m(X) ∈ F2[X] of degree at most 4 and encode it by computing

c(X) = m(X)g(X) mod (X15 + 1).

Now choose a random binary error vector e of weight at most 3 and compute the word r that is received at the other end of the channel:

r = c + e.

We will decode the received codeword using all the algorithms we have discussed. If you want you can exchange the word r you ave chosen with someone else and try to decode the word “he/she sent you”.

3 5 Exercise 6.4 Compute the syndromes s1 = r(α), s3 = r(α ) and s5 = r(α ) and proceed with Algorithm ??. You have to use a computer algebra package that can compute Gr¨obner bases over F16. Compare your result with the codeword that was sent.

11 Now compute all syndromes s1, s2, . . . , s6 and deﬁne the syndrome polynomial

2 3 4 5 S(Z) = s1 + s2Z + s3Z + s4Z + s5Z + s6Z .

Set 2 3 σ(Z) = 1 + σ1Z + σ2Z + σ3Z .

We want to determine the σi such that σ(Z) has as its zeros the reciprocals of the error positions of e. We have seen two algorithms for this.

Exercise 6.5 Apply Sugiyama’s algorithm to the situation here: compute the greatest common divisor of Z6 and S(Z) until the stop criterion of the algorithm is reached. Determine σ(Z) from this and determine its zeros and thus the error positions. Compare your result with the codeword that was sent.

Exercise 6.6 Determine σ(Z) by applying the Berlekamp-Massey algorithm. Again ﬁnd the error locators and compare this with your result from the previous exercise.

If the number of errors that were made during transmission is equal to 3, we can use the formulas we found by one-step decoding.

Exercise 6.7 Lookup in Example ?? the formula corresponding to a 3-error correcting binary BCH code, substitute the syndromes you have computed, and determine the zeros and hence the error positions of the equation.